Setting up Ubuntu 16.04 as webserver
Foreword
This guide assumes that you are working on a fresh copy of Ubuntu 16.04. This guide will cover the following:
- SSH port will use
Port 9999
- Root User will use SSH private key and does not need to be prompted for password
- Setting up a Sudo-er User (a non-root user that can issue root commands by using the
sudo
utility). In this guide we will setup user:arvil
- Setting up the Sudo-er to login with SSH private key and does not need to be prompted for password.
- All other (non-root, non-sudoer) Users can login by regular username/password SSH authentication.
- Setting Timezone to use
Asia/Manila
- Setting
en_US.UTF-8
as locale - Setting up
ufw
(firewall)
Update packages
- Create a new screen session
- Login with the default root user.
- Issue the following command to retrieve new package information and upgrade outdated packages:
screen -S setup
apt update
apt upgrade -y
# For one-liner command
apt update && apt-upgrade -y
also clean up old packages:
apt autoremove -y
Setting up SSH
- Create the directory and file required
- Copy the public key you generated to that file
mkdir -p ~/.ssh
touch ~/.ssh/authorized_keys
vim ~/.ssh/authorized_keys
#or 1 liner
mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && vim ~/.ssh/authorized_keys
Creating and setting sudo-er User
(A non-root user that can issue elevated commands)
- Issue the following command to create a new user
arvil
- Add
arvil
to sudo group - Confirm that he is on our sudoer group
adduser arvil
usermod -aG sudo arvil
grep 'sudo' /etc/group
# or one liner
adduser arvil && usermod -aG sudo arvil && grep 'sudo' /etc/group
#should output:
#sudo:x:<some-number>:arvil
Setting up the new user SSH
- Login as the new sudoer user
- Also implement the SSH keys for it
- Copy
public key
to itsauthorized_keys
file
su - arvil
mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && vim ~/.ssh/authorized_keys
# after copying the key, logout to return to root
logout
Update SSH config file
- Replace SSH Port. Port
22
=> Port9999
(we would login on Port9999
instead of Port22
) - Disable PasswordAuthentication for
root
and sudoer group. For other users, allow them to use their password. - Test the changes made in the SSH config file, if no error reboot, otherwise fix as per error message
vim /etc/ssh/sshd_config
#Find `Port`
Port 9999
# At the end of the file
# append the following:
PasswordAuthentication yes
Match User root
PasswordAuthentication no
Match Group sudo
PasswordAuthentication no
#Test the changes made
sshd -t
# If no error, restart sshd server
reboot
- Try logging in with
root
andarvil
on newPort 9999
- They should both prompt that they need the proper private key in order to login
Update Timezone
As per this guide, we will update timezone to use Asia/Manila
# Confirm that the `date` output is not our desired timezone
date
# Change timezone, to list all available timezone issue: `timedatectl list-timezones`
sudo timedatectl set-timezone Asia/Manila
# In case that the VPS does not have timedatectl
# bash: timedatectl: command not found
sudo apt install systemd-services
Update locale (support UTF-8 encoding)
For this guide we will use en_US.UTF-8
locale
# Confirm that we are not using `en_US.UTF-8`
locale
# Update
sudo locale-gen en_US.UTF-8
export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
locale-gen en_US.UTF-8
dpkg-reconfigure locales
sudo reboot
sudo locale
# If that did not work:
sudo apt-get purge locales
sudo apt-get install locales
sudo update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
sudo dpkg-reconfigure locales
sudo reboot
Setup UFW Firewall
- Whitelist OpenSSH
- Whitelist our custom SSH Port (
9999
) - Enable ufw
- Check ufw status if it worked
- Reboot
# Check UFW status
sudo ufw status
# List available app that can be added to
sudo ufw app list
# Make sure OpenSSH is allowed by ufw, if not:
sudo ufw allow OpenSSH
# Whitelist our custom SSH Port
sudo ufw allow 9999
# Enable ufw
sudo ufw enable
# Check status:
sudo ufw status
# Should output:
# arvil@ubuntu-512mb-sgp1-01:~$ sudo ufw status
# Status: active
#
# To Action From
# -- ------ ----
# OpenSSH ALLOW Anywhere
# 9999 ALLOW Anywhere
# OpenSSH (v6) ALLOW Anywhere (v6)
# 9999 (v6) ALLOW Anywhere (v6)
sudo reboot